WordPress Plugin Vulnerabilities

Groundhogg < 2.7.10 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Affects Plugins

Plugin icon
groundhogg
Fixed in 2.7.10

References

CVE
CVE-2023-2735

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
6286bc28-1db6-4a91-a104-dac39ba908b4

Timeline

Publicly Published
2023-05-19 (about 11 months ago)
Added
2023-05-23 (about 11 months ago)
Last Updated
2023-05-23 (about 11 months ago)

Other

Published
Title
Published
2024-04-05
Title
WP Chat App < 3.6.4 - Admin+ Stored XSS
Published
2023-02-21
Title
GetResponse for WordPress < 5.5.32 - Contributor+ Stored XSS
Published
2024-03-26
Title
Elementor Website Builder – More than Just a Page Builder < 3.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation
Published
2022-10-30
Title
Soledad < 8.2.6 - Subscriber+ Cross-Site Scripting
Published
2022-03-29
Title
Books & Papers <= 0.20210223 - Admin+ Stored Cross-Site Scripting